Using static analysis to detect coding errors in open source security-critical server applications

Editor’s Note: Excerpted from their book Embedded Systems Security, the authors go through an analysis of three popular, security-critical open source applications - Apache, OpenSSL, and sendmail – and demonstrate how static analysis of the underlying C code can be used to find bugs that are often overlook doing a manual inspection.

Many would argue that the code quality of some popular open source applications is expected to be relatively high. As one person put it, “By sharing source code, open source developers make software more robust. Programs get used and tested in a wider variety of contexts than one programmer could generate, and bugs get uncovered that otherwise would not be found.”[1]

Unfortunately, in a complex software application (such as Apache), it is simply not feasible for all flaws to be found by manual inspection. To help demonstrate the types of coding errors that can be efficiently detected and prevented using static source code analysis, we consider a case study of three popular, security-critical open source applications - Apache, OpenSSL, and sendmail - that were analyzed using Green Hills Software’s DoubleCheck static source code analyzer.

Apache is an open source hypertext transfer protocol (HTTP) server, the most popular in the world, powering a majority of the websites on the Internet. Given the ubiquity of Apache and the world’s dependence on the Internet, the reliability and security of Apache represent an important concern for all of us. A serious flaw in Apache could cause widespread inconvenience, financial loss, or worse. The Apache web server consists of approximately 200,000 lines of code, 80,000 individual executable statements, and 2,000 functions.